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DETAILED ACTION 

1 . This action is in response to applicant's amendment filed on December 28, 2009. Claims 
3 and 4 has been cancelled and new claims 15-16 has been added. Claims 2, 5, 15 and 16 are 
now pending in the present application. 

Response to Arguments 

2. Applicant's arguments with respect to claims 2, 5, 15 and 16 have been considered but 
are moot in view of the new ground(s) of rejection. Arguments are directed to newly added 
limitations and the new ground(s) of rejection based on the newly added limitations follow 
below. 

Claim Rejections - 35 USC § 103 

3. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

4. Claims 2, 5, 15 and 16 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Henry et al., U.S. Patent Number 7,441,043 (hereinafter Henry) and further in view of 
Burton et al., U.S. Patent Number 7,287,269 (hereinafter Burton). 

Regarding claim 2, Henry teaches a mobile wireless terminal apparatus (e.g., a mobile 
network access device 200) in a mobile wireless communication system which has a public 
network (e.g., the Internet), a private network (e.g., corporate Intranet 218) and a public wireless 
LAN system (e.g., public WLAN 220) and comprises a virtual private network relay apparatus 
which establishes an IPsec tunnel (i.e., the virtual private network relay apparatus reads on the 
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secure mobility gateway for establishing a mobile IPsec tunnel when the mobile device 200 is 
connected to the corporate intranet via the Internet) with a network relay apparatus installed on 
the private network (e.g., a gateway identified as GW on the Intranet 218) via the public network 
(i.e., the Internet), further establishes the IPsec tunnel with the mobile wireless terminal 
apparatus (i.e., the network access device 200) and relays connection of the mobile wireless 
terminal apparatus (200) from the public wireless LAN system (220) to the private network (218) 
(see col. 5, lines 29-47, col. 18, lines 40-67 and fig. 2), a home agent that controls moving of the 
mobile wireless terminal apparatus (see col. 12, lines 17-20), a connection authentication server 
(e.g., a centralized authentication server such as a Radius server or AAA) that is installed on the 
public wireless LAN system and authenticates connection of the mobile wireless terminal 
apparatus to the public wireless LAN system, and a wireless LAN access point (e.g., an AP 
within public WLAN) that relays connection authentication procedures of the public wireless 
LAN performed between the mobile wireless terminal apparatus and the connection 
authentication server (see col. 7, lines 40-65 and fig. 2) the mobile wireless terminal apparatus 
comprising: 

an authentication processing section that performs authentication processing for 
connection to the public wireless LAN system and to the connection authentication server (i.e., 
the authenticating processing section reads on an IRC clien t installed on the mobile host 200, 
since the IRC client is responsible for authenticating the user or the user's computer and 
creating a secure wireless connection to authenticate the user to a corporate network) (see col. 
5, lines 32-47, col. 10, lines 60-67 and col. 14, lines 44-63); 
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an address acquiring section that acquires an IP address of the virtual private network 
relay apparatus (e.g., an IP address of the SMG's public interface IPsmg reads on an IP address 
of the virtual private network relay apparatus) from the connection authentication server when 
the connection to the public wireless LAN system is permitted (see col. 10, lines 60-67 and col. 
17, lines 1-13); and 

an address notifying section that sends an IP address of the mobile wireless terminal (e.g., 
an IP address of the user's computer IPmh reads on an IP address of the mobile wireless 
terminal) apparatus to the virtual private network relay apparatus, via the connection 
authentication server (see col. 10, lines 60-67 and col. 17, lines 1-10); 

an IPsec key exchanging section that performs an IPsec key exchange with the virtual 
private network relay apparatus (i.e., SMG) using the IP address of the virtual private network 
relay apparatus (i.e., reads on the teaching that the IRC client establishes an IPsec tunnel (IRC- 
SMG tunnel) between the user computer and the IPsec gateway using IKE (Internet Key 
Exchange) protocol, wherein the SMG is a special mobile IPsec gateway) (see col. 9, lines 54- 
56, col. 11, lines 14-38 and col. 12, lines 3-5, col. 18, lines 40-49). 

Henry fails to explicitly wherein the IPsec key exchange is performed by IPsec main 

mode. 

However an IPsec key exchange performed by IPsec main mode is very well known in 
the art as taught for example by Burton. 

In an analogous field of endeavor, Burton teaches an IPsec key exchange is performed by 
IPsec main mode to allow security peers to authenticate each other and to encrypt data 
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transferred across an unsecured Ethernet using the keys generated from the IKE transactions (see 
col. 8, lines 13-44 and col. 9, lines 2-1 1). 

It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry with the teachings of Burton to include the feature of performing an 
IPsec key exchange by IPsec main mode, in order to separate key exchange information from 
identity and authentication information to protect identity information during an authentication 
process as taught by Burton (see col. 2, lines 49-65 and col. 9, lines 3-1 1). 

5. Claims 5, 15 and 16 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Henry et al., U.S. Patent Number 7,441,043 (hereinafter Henry) and in view of Oyama et al., 
U.S. Publication Number 2006/0185013 Al (hereinafter Oyama) and further in view of 
Burton et al., U.S. Patent Number 7,287,269 (hereinafter Burton). 

Regarding claims 5, 15 and 16, Henry teaches a mobile wireless terminal apparatus (e.g., 
a mobile network access device 200) in a mobile wireless communication system which has a 
public network (e.g., the Internet), a private network (e.g., corporate Intranet 218) and a public 
wireless LAN system (e.g., public WLAN 220) and comprises a virtual private network relay 
apparatus which establishes an IPsec tunnel (i.e., the virtual private network relay apparatus 
reads on the secure mobility gateway for establishing a mobile IPsec tunnel when the mobile 
device 200 is connected to the corporate intranet via the Internet) with a network relay apparatus 
installed on the private network (e.g., a gateway identified as GW on the Intranet 218) via the 
public network (i.e., the Internet), further establishes the IPsec tunnel with the mobile wireless 
terminal apparatus (i.e., the network access device 200) and relays connection of the mobile 
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wireless terminal apparatus (200) from the public wireless LAN system (220) to the private 
network (218) (see col. 5, lines 29-47, col. 18, lines 40-67 and fig. 2), a home agent that controls 
movement of the mobile wireless terminal apparatus (see col. 12, lines 17-20), a connection 
authentication server (e.g., a centralized authentication server such as a Radius server or AAA) 
that is installed on the public wireless LAN system and authenticates connection of the mobile 
wireless terminal apparatus to the public wireless LAN system, and a wireless LAN access point 
(e.g., an AP within public WLAN) that relays connection authentication procedures of the public 
wireless LAN performed between the mobile wireless terminal apparatus and the connection 
authentication server (see col. 7, lines 40-65 and fig. 2), the mobile wireless terminal apparatus 
comprising: 

an authentication processing section that performs authentication processing for 
connection to the public wireless LAN system and to the connection authentication server (i.e., 
the authenticating processing section reads on an IRC client installed on the mobile host 200, 
since the IRC client is responsible for authenticating the user or the user's computer and 
creating a secure wireless connection to authenticate the user to a corporate network) (see col. 
5, lines 32-47, col. 10, lines 60-67 and col. 14, lines 44-63); 

an address acquiring section that acquires an IP address of the virtual private network 
relay apparatus (e.g., an IP address of the SMG 's public interface IPsmg reads on an IP address 
of the virtual private network relay apparatus) from the connection authentication server when 
the connection to the public wireless LAN system is permitted (see col. 10, lines 60-67 and col. 
17, lines 1-13); and 
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an address notifying section that sends an IP address of the mobile wireless terminal (e.g., 
an IP address of the user 's computer IPmii reads on an IP address of the mobile wireless 
terminal) apparatus to the connection authentication server (see col. 10, lines 60-67 and col. 17, 
lines 1-10); 

Henry fails to explicitly teach an IPsec shared key acquiring section that acquires an 
IPsec pre-shared secret key from the connection authentication server for use in an IPsec key 
exchange performed with the virtual private network relay apparatus; an MIP shared key 
acquiring section that acquires an MIP pre-shared secret key from the connection authentication 
server for use in mobile IP registration made with the home agent; an IPsec key exchanging 
section that performs exchange of the IPsec key with the virtual private network relay apparatus 
using the IPsec pre-shared secret key; and an MIP registering section that initiates the mobile IP 
registration to the home agent using the MIP pre-shared secret key. 

In an analogous field of endeavor, Oyama teaches utilizing an Authorizing, 
Authentication, Accounting (AAA) server to transfer HMIPv6-related information required for 
authenticating and authorization a mobile node for HMIPv6 service over the AAA infrastructure 
(see abstract). For example, Oyama teaches a mobile node (MN) acquires an IPsec shared key 
for use in an IPsec key exchange performed with a Mobility Anchor Point (MAP) (i.e., reads on 
a virtual private network relay apparatus) from an AAA server (see p. 8 [01 15, 01 17 & 0119]). 
Oyama, further teaches the mobile node (MN) acquires a pre-shared secret key for use in mobile 
IP registration (i.e., requesting to be authenticated and given MIPv6 service) made with a home 
agent (HA) from an AAA server (see p. 8 [0130, 0132 & 0134]). 
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It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry with the teachings of Oyama to include a mobile wireless terminal 
apparatus acquiring an IPsec pre-shared secret key for mobile IP registration to a home agent, in 
order to efficiently transfer information for authenticating and authorizing a mobile node 
requesting mobile IP related services over an AAA infrastructure to secure pertinent 
communication as taught by Oyama (see p. 3 [0033, 0035, 0038 & 0060]). 

Henry in view of Oyama fails to explicitly teach wherein the IPsec key exchange is 
performed by IPsec main mode. 

However an IPsec key exchange performed by IPsec main mode is very well known in 
the art as taught for example by Burton. 

In an analogous field of endeavor, Burton teaches an IPsec key exchange is performed by 
IPsec main mode to allow security peers to authenticate each other and to encrypt data 
transferred across an unsecured Ethernet using the keys generated from the IKE transactions (see 
col. 8, lines 13-44 and col. 9, lines 2-11). 

It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry and Oyama with the teachings of Burton to include the feature of 
performing an IPsec key exchange by IPsec main mode, in order to separate key exchange 
information from identity and authentication information to protect identity information during 
an authentication process as taught by Burton (see col. 2, lines 49-65 and col. 9, lines 3-11). 
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Conclusion 

6. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

Swander et al, U.S. Patent Number 6,915,437 discloses system and method for improved 
network security. 

Swander et al, U.S. Patent Number 7,574,603 discloses method of negotiating security 
parameters and authenticating users interconnected to a network. 

Ahonen, U.S. Patent Number 6,976,177 discloses virtual private networks. 

Freeman et al, U.S. Publication Number 2005/0149732 Al discloses use of static Diffie- 
Hellman with IPSec for authentication. 

7. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to ANTHONY S. ADDY whose telephone number is (571)272- 
7795. The examiner can normally be reached on Mon-Thur 8:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Patrick Edouard can be reached on 571-272-7603. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

I A. S. A./ 

Examiner, Art Unit 2617 

/Patrick N. Edouard/ 

Supervisory Patent Examiner, Art Unit 2617 



